<!DOCTYPE html>
<html lang="en">
  <head>
    <link rel="stylesheet" type="text/css" href="/css/style.css?v=3" />
    <link rel="stylesheet" type="text/css" href="/css/fontello.css?v=2" />
    <link rel="stylesheet" type="text/css" href="/css/themes/nitter.css" />
    <link rel="apple-touch-icon" sizes="180x180" href="/apple-touch-icon.png" />
    <link rel="icon" type="image/png" sizes="32x32" href="/favicon-32x32.png" />
    <link rel="icon" type="image/png" sizes="16x16" href="/favicon-16x16.png" />
    <link rel="manifest" href="/site.webmanifest" />
    <link rel="mask-icon" href="/safari-pinned-tab.svg" color="#ff6c60" />
    <link rel="search" type="application/opensearchdescription+xml" title="nitter" href="https://nitter.net/opensearch" />
    <title>Tillmann Werner (@nunohaien): &quot;YARA rule for the loader: 𝚛𝚞𝚕𝚎 𝚕𝚘𝚊𝚍𝚎𝚛 { 𝚜𝚝𝚛𝚒𝚗𝚐𝚜: $ = { 𝟼𝟷 𝟹𝟷 𝙲𝟸 𝟾𝙱 𝟺𝟻 𝙵𝙲 𝟺𝟾 𝟿𝟾 } 𝚌𝚘𝚗𝚍𝚒𝚝𝚒𝚘𝚗: 𝚊𝚕𝚕 𝚘𝚏 𝚝𝚑𝚎𝚖 }&quot; | nitter</title>
    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
    <meta property="og:type" content="article" />
    <meta property="og:title" content="Tillmann Werner (@nunohaien)" />
    <meta property="og:description" content="YARA rule for the loader: 𝚛𝚞𝚕𝚎 𝚕𝚘𝚊𝚍𝚎𝚛 { 𝚜𝚝𝚛𝚒𝚗𝚐𝚜: $ = { 𝟼𝟷 𝟹𝟷 𝙲𝟸 𝟾𝙱 𝟺𝟻 𝙵𝙲 𝟺𝟾 𝟿𝟾 } 𝚌𝚘𝚗𝚍𝚒𝚝𝚒𝚘𝚗: 𝚊𝚕𝚕 𝚘𝚏 𝚝𝚑𝚎𝚖 }" />
    <meta property="og:site_name" content="Nitter" />
    <meta property="og:locale" content="en_US" />
    <link rel="preload" type="font/woff2" as="font" href="/fonts/fontello.woff2?21002321" crossorigin="anonymous" />
  </head>
  <body>
    <nav><div class="inner-nav">
        <div class="nav-item"><a class="site-name" href="/">nitter</a></div>
        <a href="/"><img class="site-logo" src="/logo.png" /></a>
        <div class="nav-item right">
          <div class="icon-container"><a class="icon-search" title="Search" href="/search"></a></div>
          <div class="icon-container"><a class="icon-bird" title="Open in Twitter" href="https://twitter.com/nunohaien/status/1261281420791742464"></a></div>
          <a href="https://liberapay.com/zedeus"><svg class="lp" viewBox="0 0 40.6 52.3">
  <g transform="matrix(0.83,0,0,0.83,-158,-261)">
    <path d="m202.5,366c-3.1 0-5.5-0.4-7.3-1.2-1.8-0.8-3-1.9-3.8-3.3-0.8-1.4-1.1-3-1.1-4.8 0-1.8 0.3-3.7 0.8-5.8l8.3-34.8 10.2-1.6-9.1 37.8c-0.2 0.8-0.3 1.5-0.3 2.2 0 0.7 0.1 1.2 0.4 1.7 0.3 0.5 0.7 0.9 1.3 1.2 0.6 0.3 1.5 0.5 2.7 0.6l-2 8.1"/>
    <path d="m239.2 344.3c0 3.2-0.5 6.1-1.6 8.8-1 2.6-2.5 4.9-4.4 6.9-1.9 1.9-4.1 3.4-6.7 4.5-2.6 1.1-5.4 1.6-8.5 1.6-1.5 0-3-0.1-4.5-0.4l-3 11.9h-9.7l10.9-45.4c1.7-0.5 3.7-1 6-1.4 2.3-0.4 4.7-0.6 7.3-0.6 2.4 0 4.6 0.4 6.3 1.1 1.8 0.7 3.2 1.8 4.4 3 1.1 1.3 2 2.8 2.5 4.5 0.5 1.7 0.8 3.6 0.8 5.5m-23.8 13.4c0.7 0.2 1.7 0.3 2.8 0.3 1.7 0 3.3-0.3 4.7-1 1.4-0.6 2.6-1.5 3.6-2.7 1-1.1 1.7-2.5 2.3-4.1 0.5-1.6 0.8-3.4 0.8-5.3 0-1.9-0.4-3.5-1.2-4.8-0.8-1.3-2.3-2-4.3-2-1.4 0-2.7 0.1-3.9 0.4l-4.6 19.1"/>
  </g>
</svg>
</a>
          <div class="icon-container"><a class="icon-info" title="About" href="/about"></a></div>
          <form class="icon-button" method="get" action="/settings">
            <input name="referer" value="/nunohaien/status/1261281420791742464#m" style="display: none; " />
            <button type="submit"><div class="icon-container"><span class="icon-cog" title="Preferences"></span></div></button>
          </form>
        </div>
      </div></nav>
    <div class="container"><div class="conversation">
        <div class="main-thread">
          <div class="before-tweet thread-line"><div class="timeline-item ">
              <a class="tweet-link" href="/nunohaien/status/1261281419483140096#m"></a>
              <div class="tweet-body">
                <div><div class="tweet-header">
                    <a class="tweet-avatar" href="/nunohaien"><img class="avatar" src="/pic/profile_images%2F1268194215202349056%2FpyI3nzqV_bigger.png" alt="" /></a>
                    <div class="tweet-name-row">
                      <div class="fullname-and-username">
                        <a class="fullname" href="/nunohaien" title="Tillmann Werner">Tillmann Werner</a>
                        <a class="username" href="/nunohaien" title="@nunohaien">@nunohaien</a>
                      </div>
                      <span class="tweet-date"><a href="/nunohaien/status/1261281419483140096#m" title="15/5/2020, 13:04:58">15 May 2020</a></span>
                    </div>
                  </div></div>
                <div class="tweet-content media-body" dir="auto">Thread: High performance computing labs are currently reporting breaches. Malicious ELF64 binaries are being placed under /𝚎𝚝𝚌/𝚏𝚘𝚗𝚝𝚜/.𝚏𝚘𝚗𝚝𝚜 (suid-root loader) and /𝚎𝚝𝚌/𝚏𝚘𝚗𝚝𝚜/.𝚕𝚘𝚠 (log cleaner). Germany seems to be impacted the most with several victims.</div>
                <div class="tweet-stats">
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-comment" title=""></span> 15</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-retweet" title=""></span> 167</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-quote" title=""></span> 12</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-heart" title=""></span> 292</div></span>
                </div>
              </div>
            </div></div>
          <div id="m" class="main-tweet"><div class="timeline-item thread thread-line"><div class="tweet-body">
                <div><div class="tweet-header">
                    <a class="tweet-avatar" href="/nunohaien"><img class="avatar" src="/pic/profile_images%2F1268194215202349056%2FpyI3nzqV_bigger.png" alt="" /></a>
                    <div class="tweet-name-row">
                      <div class="fullname-and-username">
                        <a class="fullname" href="/nunohaien" title="Tillmann Werner">Tillmann Werner</a>
                        <a class="username" href="/nunohaien" title="@nunohaien">@nunohaien</a>
                      </div>
                      <span class="tweet-date"><a href="/nunohaien/status/1261281420791742464#m" title="15/5/2020, 13:04:58">15 May 2020</a></span>
                    </div>
                  </div></div>
                <div class="tweet-content media-body" dir="auto">YARA rule for the loader: 𝚛𝚞𝚕𝚎 𝚕𝚘𝚊𝚍𝚎𝚛 { 𝚜𝚝𝚛𝚒𝚗𝚐𝚜: $ = { 𝟼𝟷 𝟹𝟷 𝙲𝟸 𝟾𝙱 𝟺𝟻 𝙵𝙲 𝟺𝟾 𝟿𝟾 } 𝚌𝚘𝚗𝚍𝚒𝚝𝚒𝚘𝚗: 𝚊𝚕𝚕 𝚘𝚏 𝚝𝚑𝚎𝚖 }</div>
                <p class="tweet-published">1:04 PM · May 15, 2020</p>
                <div class="tweet-stats">
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-comment" title=""></span> 2</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-retweet" title=""></span> 3</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-quote" title=""></span> 2</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-heart" title=""></span> 17</div></span>
                </div>
              </div></div></div>
          <div class="after-tweet thread-line">
            <div class="timeline-item ">
              <a class="tweet-link" href="/nunohaien/status/1261281422016278529#m"></a>
              <div class="tweet-body">
                <div><div class="tweet-header">
                    <a class="tweet-avatar" href="/nunohaien"><img class="avatar" src="/pic/profile_images%2F1268194215202349056%2FpyI3nzqV_bigger.png" alt="" /></a>
                    <div class="tweet-name-row">
                      <div class="fullname-and-username">
                        <a class="fullname" href="/nunohaien" title="Tillmann Werner">Tillmann Werner</a>
                        <a class="username" href="/nunohaien" title="@nunohaien">@nunohaien</a>
                      </div>
                      <span class="tweet-date"><a href="/nunohaien/status/1261281422016278529#m" title="15/5/2020, 13:04:59">15 May 2020</a></span>
                    </div>
                  </div></div>
                <div class="tweet-content media-body" dir="auto">YARA rule for the log cleaner: 𝚛𝚞𝚕𝚎 𝚌𝚕𝚎𝚊𝚗𝚎𝚛 { 𝚜𝚝𝚛𝚒𝚗𝚐𝚜: $ = { 𝟷𝟺 𝙲𝙲 𝙵𝙲 𝟸𝟾 𝟸𝟻 𝙳𝙴 𝙱𝟿 } 𝚌𝚘𝚗𝚍𝚒𝚝𝚒𝚘𝚗: 𝚊𝚕𝚕 𝚘𝚏 𝚝𝚑𝚎𝚖 }</div>
                <div class="tweet-stats">
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-comment" title=""></span> 4</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-retweet" title=""></span> 4</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-quote" title=""></span> 0</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-heart" title=""></span> 14</div></span>
                </div>
              </div>
            </div>
            <div class="timeline-item ">
              <a class="tweet-link" href="/nunohaien/status/1261281423245357058#m"></a>
              <div class="tweet-body">
                <div><div class="tweet-header">
                    <a class="tweet-avatar" href="/nunohaien"><img class="avatar" src="/pic/profile_images%2F1268194215202349056%2FpyI3nzqV_bigger.png" alt="" /></a>
                    <div class="tweet-name-row">
                      <div class="fullname-and-username">
                        <a class="fullname" href="/nunohaien" title="Tillmann Werner">Tillmann Werner</a>
                        <a class="username" href="/nunohaien" title="@nunohaien">@nunohaien</a>
                      </div>
                      <span class="tweet-date"><a href="/nunohaien/status/1261281423245357058#m" title="15/5/2020, 13:04:59">15 May 2020</a></span>
                    </div>
                  </div></div>
                <div class="tweet-content media-body" dir="auto">If you are affected or have additional details, feel free to get in touch. DMs are open.</div>
                <div class="tweet-stats">
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-comment" title=""></span> 1</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-retweet" title=""></span> 3</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-quote" title=""></span> 0</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-heart" title=""></span> 12</div></span>
                </div>
              </div>
            </div>
            <div class="timeline-item thread-last ">
              <a class="tweet-link" href="/nunohaien/status/1261284646341533699#m"></a>
              <div class="tweet-body">
                <div><div class="tweet-header">
                    <a class="tweet-avatar" href="/nunohaien"><img class="avatar" src="/pic/profile_images%2F1268194215202349056%2FpyI3nzqV_bigger.png" alt="" /></a>
                    <div class="tweet-name-row">
                      <div class="fullname-and-username">
                        <a class="fullname" href="/nunohaien" title="Tillmann Werner">Tillmann Werner</a>
                        <a class="username" href="/nunohaien" title="@nunohaien">@nunohaien</a>
                      </div>
                      <span class="tweet-date"><a href="/nunohaien/status/1261284646341533699#m" title="15/5/2020, 13:17:47">15 May 2020</a></span>
                    </div>
                  </div></div>
                <div class="tweet-content media-body" dir="auto">Files differ between infections although functionality is the same. Looks like they get compiled on the target. Anyone affected, consider carving for deleted source code.</div>
                <div class="tweet-stats">
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-comment" title=""></span> 2</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-retweet" title=""></span> 2</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-quote" title=""></span> 1</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-heart" title=""></span> 14</div></span>
                </div>
              </div>
            </div>
          </div>
        </div>
        <div id="r" class="replies"><div class="reply thread thread-line">
            <div class="timeline-item ">
              <a class="tweet-link" href="/jaimeblascob/status/1261302257427103747#m"></a>
              <div class="tweet-body">
                <div><div class="tweet-header">
                    <a class="tweet-avatar" href="/jaimeblascob"><img class="avatar" src="/pic/profile_images%2F634846839699668992%2FCx40HOMk_bigger.jpg" alt="" /></a>
                    <div class="tweet-name-row">
                      <div class="fullname-and-username">
                        <a class="fullname" href="/jaimeblascob" title="Jaime Blasco">Jaime Blasco</a>
                        <a class="username" href="/jaimeblascob" title="@jaimeblascob">@jaimeblascob</a>
                      </div>
                      <span class="tweet-date"><a href="/jaimeblascob/status/1261302257427103747#m" title="15/5/2020, 14:27:46">15 May 2020</a></span>
                    </div>
                  </div></div>
                <div class="replying-to">Replying to <a href="/nunohaien">@nunohaien</a></div>
                <div class="tweet-content media-body" dir="auto">Do you happen to have any hashes you can share?</div>
                <div class="tweet-stats">
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-comment" title=""></span> 1</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-retweet" title=""></span> 0</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-quote" title=""></span> 0</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-heart" title=""></span> 0</div></span>
                </div>
              </div>
            </div>
            <div class="timeline-item ">
              <a class="tweet-link" href="/markus_neis/status/1261369356753272834#m"></a>
              <div class="tweet-body">
                <div><div class="tweet-header">
                    <a class="tweet-avatar" href="/markus_neis"><img class="avatar" src="/pic/profile_images%2F1274043298303356930%2Fs2wmY19o_bigger.jpg" alt="" /></a>
                    <div class="tweet-name-row">
                      <div class="fullname-and-username">
                        <a class="fullname" href="/markus_neis" title="markus neis">markus neis</a>
                        <a class="username" href="/markus_neis" title="@markus_neis">@markus_neis</a>
                      </div>
                      <span class="tweet-date"><a href="/markus_neis/status/1261369356753272834#m" title="15/5/2020, 18:54:24">15 May 2020</a></span>
                    </div>
                  </div></div>
                <div class="tweet-content media-body" dir="auto">cleaner hashes 
780f236fb3646534832b2da9d5cf6eb0
c764ba53fa9c5a24a88a1d2e17be6943
ce7240b8bbb2bee8f300321eef46a41e
d42553bd420e80ec31df5da2d5b932e0
65dde869c0e1455de24aadf5aa4538a2
a0ec7d355dc9e7f232fb47bf401c3138
261f16ec5d72078f6e3c21551ceaecb2
0b522e54bf3f276496793c44bec7362b</div>
                <div class="tweet-stats">
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-comment" title=""></span> 1</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-retweet" title=""></span> 0</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-quote" title=""></span> 0</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-heart" title=""></span> 3</div></span>
                </div>
              </div>
            </div>
            <div class="timeline-item more-replies"><a class="more-replies-text" href="/markus_neis/status/1261369356753272834#m">more replies</a></div>
          </div></div>
        <div class="top-ref"><div class="icon-container"><a class="icon-down" title="" href="#m"></a></div></div>
      </div></div>
  </body>
</html>